From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70AD73630BF for ; Sun, 12 Apr 2026 18:25:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776018357; cv=none; b=o7hjQQ+KSdCeFQdzx5I0dgw/6SLvs8ndEznGbYhWz0JMk679l1AnvNPsOwxH+0q9o7zw+A/C7gVVG6yh88cVmkZHpxPOnRSs+kMyZeUvUguBPd5skNyir5megxGlid15fazoB9nHcozo3mwSdOCl+0bm5veCpZfJpUA2UMzOuys= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776018357; c=relaxed/simple; bh=1zJtVufJSEP6Q5SnuAXWDx7j0TqoyY8c3ryWRg4Oyqc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fcNGCNQqW9LrO+NJ/vD1V6xs3+lo+cPWxY+CiZha87ha5EcJ69pqhWjNq92/lm77HxIRjwOFZH2eTnWcno+6dcUizxeb8CKxapv9AkTwxY7WYk9LS3Cd/80g+Q2movVuohN217bZCvkMeXXiWaJORwyOL5dvYNA1q47zduYc+O4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jykN9AR0; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jykN9AR0" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488afb0427eso46448495e9.1 for ; Sun, 12 Apr 2026 11:25:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776018355; x=1776623155; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=sUaZCt2imrHRQTUxqdlKlKY1LHwdFZ1j8C6DlIvvcGA=; b=jykN9AR05uDRS9U2SY2rFAy3zu3xKtupqd/sgsVZOZ5/+ZXG7Knhgh6GaCUVxoOjaj mtkkIVjt2n81Pkrstc7Ba0USYcdbzi3uh8SExAXcqq9dNEFjKmpLOSE5YH27WkoAiFWu 0xdLPL3SGSk2bEmu4v02eC0rZYLBGdG7P+VjuOWvxZAV819w2xTLDHdkNMKAp077b73y Dvqes6924QsrikpqMtjQSL/H3Wdc6j4Fxm0sk2sIxzXSDMHRVq6mxmLaHY56DFoV/dOF D9fQ9hKeceJHZ/3x7lLBjgQBxzjJtQyT/HZ1n5W+887P2B/7s4h0UmyknnF8YInumXPn 7ZEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776018355; x=1776623155; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sUaZCt2imrHRQTUxqdlKlKY1LHwdFZ1j8C6DlIvvcGA=; b=dRn35L6ritNgy/02XxBYEGxbT6M9Sn9rbw9f6WwHjtkMUYS5+HlxDBKzIhW3D7yL2i xBM6iADkEmUbg6iw7LhWwLTj5qwQA5a6bzdtCXVrrUEd2aELRvJrcuIgkdFafGMOk6LL R3IGe+QfYrXOuZnbCtk8+UzxGGiSKeamMKJSnJC0F3HXPkNos0+kSNvbcVktUS7e6suN +ZsnXSG1Dc7LVDiJTQ0abapW5pQVuyMC2DDEnOnYTl1C+66UY4qM0NFAEV21xraRv5qw M9z/z86A5/xfrhrHFYpd/M/q/jHSlA+s81ooWrWewOW31uALGIdPRN2K7TSqHQUFhNjr 9W3w== X-Forwarded-Encrypted: i=1; AJvYcCWv3j7wypTwfXXGKCNbave6/8TYUKfMcyW2L6su9fq/aWro1BHU4fLHqcvopGV9zyeATDDCgDMHjXiPGOk=@vger.kernel.org X-Gm-Message-State: AOJu0Yz7oU/1AnCu/p+LN//vsQLLvokjifSvhl4oCDV7/BwPhXTd573w 0a+KUyXORAGzT/szjEi73PvhQJ+ACgEVNKWZDm5mP574CgQFnnfN+5FK X-Gm-Gg: AeBDiesdINw4UdI8djv1EXExi1RqpkFJ8j1NWy6wy0bamOddbfjlTus6PlvixYS4Fm5 PSmhW0XuTBcH0PbXm30Ngt5ducPtqvLbl22o5vfA/bbSlNyGwJbbyKGSjz9tk/J/nwkRllnHs/v 9FFC2F534YnTmv0gvUtGLkjau55P0BEQokf+Tf/wh8hikI86NlkNMHFNHfHHPnBs6ZEOh3moc+P OrN/hwU42L0dV1lUckSDvtaeEqaXHGHB1x4Yzmc9L10dXCbEbqiA0OMqasT8BULKrx9ttzGhrBr t7OLonETJPUHydWTKGu1NbDJMojaQX7YXNvsZiAgSIKp47MFOkMij7vP74lKLpPanO1sQf9xwuB 2qc5iHaHOAPCrCu9C5/zYoK7454kyyPk1r3aWPbZa6V5WSyIgoQhMDGlwLdvj4HQcGXx0KQ23P0 PBpbJsPxtAuCYtVmNdSO9xabvZDR7x9A== X-Received: by 2002:a05:600c:45ce:b0:488:a8f0:35bd with SMTP id 5b1f17b1804b1-488d67df745mr149370035e9.8.1776018354584; Sun, 12 Apr 2026 11:25:54 -0700 (PDT) Received: from gmail.com ([2a00:f41:1ccb:26a3:2a0c:50ff:fe2f:36f4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488e07f8207sm54197285e9.1.2026.04.12.11.25.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Apr 2026 11:25:53 -0700 (PDT) Date: Sun, 12 Apr 2026 20:25:51 +0200 From: "Jose A. Perez de Azpillaga" To: syzbot Cc: dwlsalmeida@gmail.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure Message-ID: References: <69d411c9.a70a0220.a26f2.003e.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <69d411c9.a70a0220.a26f2.003e.GAE@google.com> When dvb_dmxdev_add_pid() adds a new dmxdev_feed to the filter's ts list and then dvb_dmxdev_start_feed() fails, the function returns the error code but leaves the orphaned feed entry in the list without cleaning up. Fix this by removing the orphaned feed from the list and freeing it when dvb_dmxdev_start_feed() fails in dvb_dmxdev_add_pid(). Fixes: 1cb662a31449 ("V4L/DVB (12275): Add two new ioctls: DMX_ADD_PID and DMX_REMOVE_PID") Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9 Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com Signed-off-by: Jose A. Perez de Azpillaga --- drivers/media/dvb-core/dmxdev.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c index 3c8bc75e4d6c..401a0cbb4138 100644 --- a/drivers/media/dvb-core/dmxdev.c +++ b/drivers/media/dvb-core/dmxdev.c @@ -901,8 +901,15 @@ static int dvb_dmxdev_add_pid(struct dmxdev *dmxdev, feed->pid = pid; list_add(&feed->next, &filter->feed.ts); - if (filter->state >= DMXDEV_STATE_GO) - return dvb_dmxdev_start_feed(dmxdev, filter, feed); + if (filter->state >= DMXDEV_STATE_GO) { + int ret = dvb_dmxdev_start_feed(dmxdev, filter, feed); + + if (ret < 0) { + list_del(&feed->next); + kfree(feed); + } + return ret; + } return 0; } -- 2.53.0